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Qualys laC Security Integration with Jenkins 


In the existing Continuous Integration and Continuous Deployment (CICD) environment, 
the security scans are conducted on cloud resources after deployment. As a result, you 
secure your cloud resources post-deployment to respective Cloud accounts. 


With an introduction of the Infrastructure as Code (IaC) security feature by Qualys 
CloudView, you can now secure your IaC templates before the cloud resources are 
deployed in your cloud environments. The IaC Security feature will help you shift cloud 
security and compliance posture to the left, allowing evaluation of cloud resources for 
misconfigurations much early during the development phase. 


CloudView offers integration with Jenkins to scan and secure your IaC templates using the 
Jenkins pipeline job. It continuously verifies security misconfigurations against CloudView 
controls and displays the misconfigurations for each run. With a continuous visibility of 
the security posture of your laC Templates at Jenkins pipeline you can plan for 
remediation to stay secure post deployment. 


For supported templates, other integrations, and features of Cloud IaC Security, refer to 
CloudView User Guide and CloudView API User Guide. 
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Scanning laC Templates at Jenkins 


The Jenkins integration allows you to perform IaC scans using pipeline job. We provide you 
with a pipeline job and options that you can configure to run based on various triggers. 


You can perform an IaC scan on either of the following: 
- the entire git repository. 
- only the templates that were newly added / updates to the branch. 


The results are generated on the build console that provides you with proactive visibility 
into the security of your IaC templates residing in Git repositories. 


Pre-requisite 
- Ensure that you have a valid docker pipeline plugin installed. 


- Ensure to configure environment variables used in the pipeline script before you run the 
pipeline job in Jenkins. For more info, refer Configure Environment Variables. 


- To auto-trigger a Jenkins pipeline job, ensure that you install a specific Source Code 
Management (SCM) plugin, e.g., Bitbucket plugin, Bitbucket Server Integration. For auto- 
trigger, the pipeline job must contain a Jenkinsfile. 


- Docker must be installed on the Jenkins slave node. 


- Ensure that you have a valid Qualys CloudView Security Assessment app subscription. 


Let us see the quick workflow: 
Configure Environment Variables 
Configure Git Repositories 
Configure Pipeline Job 


View Scan Output 


N 


Configure Environment Variables 


Qualys laC Security Integration with Jenkins 
Scanning laC Templates at Jenkins 


The steps to add new environment variables are as follows: 


1. On the Jenkins console, go to Manage Jenkins > Manage Credentials 


2 New Item 

& People 

Zi Build History 

40% Edit View 

8 Delete View 

OQ. Project Relationship 
è=. Check File Fingerprint 
Splunk 

& My Views 


g. Job Import Plugin 


2. Click any row and go to Add Credentials. 


Dashboard > Jenkins-laC 


» 


@ Add description 


+ 
Last Failure Last Duration Built On Progress 
N/A 8 sec 53) 
pss ams 0.22 sec (2) 
Hi rnin: 31 sec © 
heel f 4 min 36 sec D 
X Atom feed for all )\ Atom feed for failures J Atom feed for just latest builds 


3. Select the Secret Text option from the Kind drop-down menu and enter the required 


Secret and ID. 


Note: In the Secret field, add the actual values for URL, username, and password, and in the 
ID field, add variable names such as QUALYS_URL, QUALYS_USERNAME, and 

QUALYS_ PASSWORD to identify the secrets. Use these variable names (ID) in the script 
and not the actual values. 


J 
Dashboard + Credentials > System + Global credentials (unrestricted) > 


A Back to credential domains 


| @ Add Credentials 


4. Click OK. 


Kind 


Secret text 


| Scope 


| Global (Jenkins, nodes, items, all child items, ete) 


| Secret 


| QUALYS URL 


| Description 
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The newly added credentials appear in the Dashboard > Credentials list. 


Variable Description 
QUALYS_URL Qualys platform URL. To know about your Qualys platform URL, click 
here. 


QUALYS_USERNAME Qualys username 
QUALYS_PASSWORD Qualys password 


Configure Git Repositories 

The steps to configure Git repositories are as follows: 

1. Select the Jenkins Pipeline Project and click Configure. 

2. Scroll to the end and click Pipeline Syntax. 

3. Select git: Git from the drop-down menu. 

4. Add Repository URL, Branch, and Credentials in the respective fields. 

5. Click Generate Pipeline Script. 

6. Copy this generated pipeline script and use it while configuring the pipeline job. 


Dashboard > Jenkins-laC ?’ Jenkins-laC-v1.0.0 ° Pipeline Syntax 


POS Uverview 
40% snippet Generator 


This Snippet Generator will help you learn the Pipeline Script code which can be used to define various steps. Pick a step you are interested in from the list, configure it, click Generate 
2% Declarative Directive Generator Pipeline Script, and you will see a Pipeline Script statement thet would call the step with that configuration. You may copy and paste the whole statement into your script, or pick up just the 
options you care about. (Most parameters are optional and can be omitted in your script, leaving them at default values) 
@ Declarative Online Documentation 


Steps 
@ Steps Reference R: 


Sample Step 
@ Global Variables Reference 
git: Git v 
@ Online Documentation Repository URL e@ 


@ Examples Reference https://github.com, 3ithubActiongit 
@ intelli IDEA GDSL Branch @ 
master 
Credentials e 
Github-Creds v | S Add ~ 
Include in polling? @ 
Include in changelog? @ 


Generate Pipeline Script 


git credentialsid: 'Github-Creds', url: 'https://github.com/ /GithubAction.git 
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Configure Pipeline Job 

You can use the Jenkins pipeline job to scan and secure the IaC templates. 

The steps to create a Jenkins pipeline job are as follows: 

1. Create a Jenkins pipeline project and place the required script in the pipeline project. 


2. If you want to scan the entire repository, set the value for scanWholeRepo as True. If you 
want to scan only the changed / newly added files, set the value for seanWholeRepo as 
False. 


3. To run this job on the required agent, add the agent details in the script and click Save. 


4. Paste the generated pipeline script copied earlier from step 6 in Configure Git 
Repositories. 


5. Add the environment variables created in step 3 in Configure Environment Variables. 


6. If you are connected to a proxy server, mention the HTTP Proxy details in the script. 


Pipeline 
Definition 


Pipeline script 


Script © e 
1 def scanholeRepo=false 


2 
3+ pipeline { 

4 

5 agent { label ‘vmi98"} © 
7+ stages { 


9 stage (“Checkout the Code") { 
10+ steps { 


e pipeline x et generator and sele: ple type g 
12 git branch: ‘main’, credentialsId: ‘Github-Creds’, url: ‘nttps://github.com ‘GithubAction.git’ © 


16 ~ stage ("Run QIaC Container") { 
agent { 


4a ~ steps { 


42 sh ‘su qiac' 
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Sample Script 


def scanWholeRepo=false 


pipeline { 
agent { label 'vm198'} 
stages { 
stage ("Checkout the Code") { 


steps { 
// Use pipeline Syntax snippet generator and select sample 
type git:Git 
git branch: 'main', credentialsId: 'Github-Creds', url: 
"https://github.com/xxxxxx/GithubAction.git' 
} 
} 


stage ("Run QIaC Container") { 
agent { 
docker { 


// provide Qualys docker image name 
image 'qualys/qiac_ security cli' 
args '‘'--entrypoint=""' 

alwaysPull true 

reuseNode true 


} 
environment { 
// Create a username and password credential in jenkins as 
a secrete text and provide credential id 
QUALYS URL = credentials ('QUALYS URL") 
QUALYS USERNAME = credentials ('QUALYS USERNAME") 
QUALYS PASSWORD = credentials ('QUALYS PASSWORD') 
// Please use proxy if required for your env 
HTTP PROXY="http://xx.XxXX.XX.XX!IXXXx" 
HTTPS_PROXY="http://XX.XXX.XX.XX:XXXX" 


} 
steps 
//Do not change following command 
sh "su giac' 
sh "sh /home/qiac/iac_scan_launcher.sh ${scanWholeRepo}" 


} 


post { 
always { 
archiveArtifacts (artifacts: 'cli_output') 
// to clean up directory Workspace cleanup plugin is required 
cleanWs () 
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View Scan Output 
At the end of the job, the Jenkins pipeline creates the artifact file. 


The steps to view the scan output are as follows: 


1. Go to Status and click view to view the scan report for a selected pipeline job. 


P — — — 


Dashboard > Jenkins-laC > Jenkins-laC-v1.0.0 >» 


#® Back to Dashboard 


Pipeline Jenkins-laC-v1.0.0 


O, Status 

@ Add description 
= Changes 
É Build Now 


= Last Successful Artifacts 
| cli_output 689 Baz view 


4% configure 

puana, 

> Recent Changes 
~] 


© Delete Pipeline 


Q, Full stage View o 
Stage View 
Splunk 
Checkout the Run Qlac Declarative: 
© Rename Code Container Post Actions 
@ Pipeline syntax Average stage times: Ts 25s 228ms 
ep 
G> Build History trend A Mar23 | Ne © ae pe 
vo jo ro S 
Q Filter builds. ” Æ 
| en 


2. To view the scan report in detail, go to Console Output. 


